Port scanner

This type of scan is also known as a stealth scan, since TCP implementations do not inform the associated service if connections are not fully established. This means that it does not generate any log data for attempted connection establishment or does not notice anything from the scan. The SYN scan is therefore invisible from the application point of view. However, this does not apply to the network level: Firewalls or intrusion detection systems still recognize this type of scan and can block it if necessary with the help of the port knocking process, in which the port is only opened after a pre-agreed packet sequence has been received.

System administrator rights are also required on most source systems because TCP packets have to be handcrafted by the port scanner.

TCP SYN scans can be used for denial of service attacks in the form of SYN floods .

TCP-FIN / Xmas / Null-Scan

These methods do not establish a connection, but rather examine the behavior of subsequent packets. If a port is open, the subsequent packets should be ignored as they do not belong to an existing connection. If the port is closed, a reset packet should be sent.

Which flags are set exactly depends on the type of scan:

TCP idlescan

This scan is carried out through a middleman called a zombie. The idlescan is currently the only known scanning method in which the scanned host cannot draw any conclusions about the scanning host, since it only believes to see packets from the zombie.

Zombie host

To be suitable as a zombie host for the Idlescan, it must meet the following conditions:

1. The zombie host must be able to receive packets from the target
2. The IPID (IP Identification Number, part of the IP header ) must be predictable for the port scanner.

The predictability of the IPID results on the one hand from the fact that most operating systems use a system-global counter for the IPID, which is increased by a certain value whenever the system sends a self-generated packet. The values ​​vary depending on the operating system and are typically 1, 4 or 8. In addition, for predictability it is important that the zombie itself ideally does not generate any IPID-changing packets, i.e. the system is idle - hence the term idle scan.

Surprisingly, routers are very suitable as zombies, as they normally only pass packets through (their IPID does not change), but do not participate in network traffic themselves.

procedure

Schematic representation of a TCP idle scan

For the actual scan, the port scanner needs the current IPID of the zombie. To find out the IPID, e.g. B. simply sent a TCP connection request (SYN) to him. The zombie replies SYN | ACK or RST, the reply packet contains the current IPID (2).

For the actual port scan, the attacker sends a spoofed SYN packet to the target (3). The attacker sets the IP address of the zombie host as the source IP address. If the port is open, the target sends a SYN | ACK packet to the zombie (4a). Since he has not opened a connection, the zombie sends an RST packet to the target (4a). Assuming that the zombie always increments the IPID by the value one, the following applies: this reset is sent to the target with an IPID + 1. If the port is closed, the target sends an RST packet to the zombie (4b). This package is simply ignored by the zombie. Now the attacker asks for the current IPID (5) in the same way as at the beginning. If the IPID has increased by 2 (1 packet to the target + 1 packet to the attacker), the port is open. If the IPID is only 1 higher (only 1 packet to the attacker), the port is closed (6).

UDP scan

A direct scan of UDP ports is not possible because the protocol works without a connection . A scan is still possible via a detour. To do this, an empty UDP packet is sent to the relevant port. If a UDP packet also comes back, the port is open. If there is no answer, the port is either closed or filtered. If a "Port Unreachable" error message is received, the port is closed. On most systems, the output of ICMP error messages is throttled in order to prevent a denial-of-service attack. Therefore, UDP scans are mostly time consuming.

FTP bounce scan

In an FTP bounce scan, the attacker needs an FTP server that allows the PORT command. The attacker can use the PORT command to transfer the IP address of the victim and a port to be checked. If the FTP server can establish a connection with the transferred data, a service runs on the port, which the server announces to the attacker. This variant of FTP was originally intended to be able to easily copy files between servers. The attacker remains invisible to the victim because a direct connection between the victim and the attacker never has to be established.

Additional functions

Legal Aspects

The legality of port scans is controversial as they can be seen as the first instance of an intrusion attempt. In any case, use on your own systems is legal. The legal situation for port scans against third-party systems and networks is less clear. Since, for example, sensitive computers can be disturbed by many connection requests, this can be seen as an attack on the availability of a system and, in Germany, punished by Section 303b of the Criminal Code ( computer sabotage ). The SANS Institute also confirms the dichotomy between port scans in a publication.

$ nc -vz $zu_scannender_host 1-65535